What Data Breaches Cost
by MNJR | May 13, 2024 | Category: Diode
In the previous article, we discussed the details about privacy and regulatory environments concerning mid-market enterprises. It highlighted the importance of understanding these varying digital privacy laws to best protect executives within the company.
In this section of our series, we will look more deeply at the nature of these risks – financial, reputational, legal, and others – that often result from the complex web of laws and regulations that organizations of all types and sizes are exposed to.
While we typically think of these types of risks in the context of larger enterprises, the exposures that mid-market organizations face can be equivalently onerous, and the harms to their businesses are even more severe. As a result, we will continue to emphasize the importance of safeguarding your business through the protection of executive data.
Financial
The Change Healthcare ransomware attack has encountered issues recently after experiencing weeks of system and service downtime. The threat actors remotely accessed a Change Healthcare Citrix portal using compromised credentials that did not have strong enough security. To avoid prolonging the downtime, their parent company, UnitedHealth Group, chose to pay the $22 million USD demanded by the ransomware group, resulting in a significant financial loss that directly impacted the company’s bottom line.
In 2023, cyberattacks on companies with fewer than 500 employees resulted in a $3.31 million USD impact, averaging $164 per breached record. These costs include managing immediate damages, paying ransoms, maintaining customer service, offering discounts, and covering fines. Additional expenses also occur from hiring auditors, lawyers, accountants, and various consultants, and the downtime caused by these breaches can lead to indirect costs due to halted productivity in services or product production. Many smaller businesses will end up raising the price of their product or service to try and regain their lost revenue, but they will often lose customers in the process.
Reputational
The 2017 Equifax data breach, which compromised the personal data of 145.5 million customers and exposed the credit card credentials of 209,000 individuals, elicited significant public disapproval. Following the breach, Equifax experienced an immediate 13% drop in shares, and a survey revealed that 54.2% of respondents believed the company should cease its operations. The flaw in their software that allowed the hackers to gain access to this information was unfortunately avoidable and would have never happened if Equifax had been consistent in upgrading their security measures.
The 2018 survey conducted by Harris Poll in collaboration with IBM revealed that 75% of respondents would choose against purchasing products from companies that they felt would not protect their data. 53% indicated that a large determinant for engaging with a company is its ability to protect their data well or not. Furthermore, 81% of respondents in a 2019 Consumer Survey stated they would stop online interactions with a brand following a data breach. From a financial standpoint, the estimated loss in business due to reputational damage stands at approximately $1.42 million USD as of 2022.
Functional
The recent cyberattack on Ascension Health hospitals led to significant clinical operation downtime, causing interruptions in access to systems and impacting patient care. This week-long disruption also affected UnitedHealthcare, with some systems remaining offline despite efforts to restore operations. To alleviate the impact and ensure continuity of care, Ascension Health paid $22 million USD in Bitcoin to resolve the issue.
As mentioned in our previous article, the average duration to identify and contain a data breach is approximately 277 days. Logistically, within any company experiencing a data breach, there inevitably follows a period of production downtime, significantly impacting operational functions. This downtime poses particular challenges for SMEs with fewer employees and resources compared to larger corporations. Then, there is also the recovery period, during which companies are diverted from their usual production of products or services as they patch vulnerabilities, engage with customers to find solutions, and determine the company’s next steps, prolonging their downtime.
Legal
In the recent T-Mobile data breach, 37 million of their customers’ personally identifiable information (PII) was exposed. Consequently, they faced a class action lawsuit and were accused of negligence for failing to protect their customers’ personal information. This breach involved a threat actor who utilized AI capabilities to exploit an application programming interface (API), gaining unauthorized access to their systems and resulting in the theft and exposure of the PII.
Executives store various types of sensitive data, including that of employees, customers, and partners. Notably, 19% of breaches stem from compromises within business partnerships and 74% are due to human error or privilege misuse. Consequently, inadequate security measures used by executives in professional and personal domains could lead to legal repercussions if such data leaks.
Customers have the legal right to pursue civil lawsuits for “privacy violations, negligence, or deceptive business practices” in the event of a data breach. Regardless of the outcome, the financial burden of these legal proceedings can be substantial. Additionally, depending on regional laws, shareholders or affected partners may also initiate private lawsuits. If their PII specifically is leaked, there are more specific consequences involving regulatory violations and fines, litigation, and, in extreme circumstances, incarceration.
What Companies Are Doing
In anticipation of these costly risks, approximately 34% of companies, including 43% of SMEs, have begun investing in cyber insurance as a means of recovery funding should they need it. A big feature of this insurance is the coverage for ransom payments, often made in cryptocurrencies such as Bitcoin, offering attackers anonymity due to its decentralized form. However, even after making payments to the anonymous attackers, 78% of companies have been followed up with another ransomware attack and 63% were asked to pay even more funds the second time. With the continual rise in ransomware attacks, the cost of cyber insurance has also increased significantly, making it an increasingly expensive preparatory measure for companies.
Summary
Data breaches and cyberattacks pose significant threats to SMEs, amplified by their limited resources and security measures. As highlighted throughout this series, the financial, reputational, and operational impacts of these breaches are substantial, with SMEs facing unique challenges in recovery. With almost half of data breaches involving SMEs, businesses must prioritize the protection of executive data to mitigate these risks and safeguard their operations.
To explore further please: